Dynamically Adjusting a Model for a Security Operations Center

1. A method for dynamically adjusting a model for a security operations center (SOC), the method being implemented in a computer system composing a physical processor, the method comprising: constructing a customer storage model over a set of time periods for a customer based on a set of resources of the SOC, a storage distribution model receiver from the customer related to expected usage of the set of resources, and a threat landscape for the customer; revising the customer storage model for a second time period of the set of time periods based on actual storage use of the customer during a first time period of the set of time periods, and a projection of an amount of data to be consumed in the second time period based on the threat landscape; and revising allocation of the resources in the SOC before the second time period based on the revision to the customer storage model.

2. The method of claim 1 , wherein the storage distribution model received from the customer comprises information related to expected usage of the set of resources over the set of time periods for the customer, wherein the expected usage of the set of resources comprises an average amount of usage, a maximum amount of usage, and a minimum amount of usage for each of the set of time periods.

3. The method of claim 1 , wherein the customer storage model is further revised based on a type of processing to be performed for the customer.

4. The method of claim 1 , further composing: accessing a new threat landscape for the customer; and revising the customer storage model for a third time period based on the new threat landscape for the customer.

5. The method of claim 1 , further comprising: accessing a customer storage policy of the customer, wherein the customer storage policy comprises a set of policy triggers, each policy trigger indicating that a change in allocation of the set of resources in the SOC is needed; and revising the allocation of the resources of the SOC at the second time period based on the actual storage use of the customer and the customer storage policy.

6. The method of claim 1 , further comprising: determining, based on the actual storage use of the customer, the customer storage model, and the customer storage policy, whether an individual policy trigger of the set of policy triggers may occur in a next threshold time period; and responsive to determining that the individual policy trigger may occur in the next threshold time period, providing information to the customer indicating that the individual policy trigger may occur in the next threshold time period.

7. The method of claim 5 , further comprising: predicting, based on the actual storage use of the customer, the customer storage model, and the customer storage policy, a next time period at which an amount of storage needed by the customer increases beyond the maximum allocation of the set of resources allowed for the customer based on the customer storage policy.

8. A system for dynamically adjusting a model for a security operations center (SOC), system comprising: a physical processor implementing machine readable instructions that cause the system to: manage a first customer storage model over a set of time periods for a first customer based on a set of resources of the SOC, a first storage distribution model received from the first customer related to expected usage of the set of resources, and a first threat landscape for the first customer; manage a second customer storage model over the set of time periods for a second customer based on the set of resources of the SOC, a second storage distribution model received from the second customer related to expected usage of the set of resources, and a second threat landscape for the second customer; revise the first customer storage model for a second time period of the set of time periods based on first actual storage use of the first customer, and a first projection of data to be consumed in the second predetermined time period based on the first threat landscape; and revise allocation of the resources in the SOC at the second time period based on the revision to the first customer storage model.

9. The system of claim 8 , wherein the first storage distribution model received from the first customer comprises information related to expected usage of the set of resources over the set of time periods for the first customer, wherein the expected usage of the set of resources comprises an average amount of usage, a maximum amount of usage, and a minimum amount of usage for each of the set of time periods.

10. The system of claim 8 , wherein the physical processor implements machine readable instructions that cause the system to: access a first customer storage policy of the first customer, wherein the first customer storage policy comprises a first set of policy triggers, each policy trigger indicating that a change in allocation of the set of resources in the SOC is needed; and revise the allocation of the resources of the SOC at the second time period based on the first actual storage use of the first customer and the first customer storage policy.

11. The system of claim 10 , wherein the physical processor implements machine readable instructions that cause the system to: determine, based on the first actual storage use of the first customer, the first customer storage model, and the first customer storage policy, a next time period at which an amount of storage needed by the first customer increases beyond the maximum allocation of the set of resources allowed for the first customer based on the customer storage policy; and determine, based on whether the first customer storage policy allows dynamic increase of storage amount whether to increase the allocation of the resources of the SOC to the first customer.

12. The system of claim 11 , wherein the physical processor implements machine readable instructions that cause the system to: determine, based on whether the first customer storage policy requires secluded storage for the first customer, whether to increase the allocation of the resources of the SOC to the first customer.

13. The system of claim 8 , wherein the physical processor implements machine readable instructions that cause the system to: revise, in parallel to the revision of the first customer storage model, the second customer storage model for the second time period of the set of time period based on second actual storage use of the second customer, and a second projection of data to be consumed in the second time period based on the second threat landscape; and revise allocation of the resources in the SOC at the second time period based on the revision to the second customer storage model.

14. A non-transitory machine-readable storage medium comprising instructions for dynamically adjusting a model for a security operations canter (SOC), the instructions executable by a processor of a computing device to: receive, from a first customer, a first storage distribution model that comprises information related to expected usage of a set of resources of the SOC over a set of time periods for the customer, wherein the expected usage of the set of resources composes an average amount of usage, a maximum amount of usage and a minimum amount of usage for each of the set of time periods; manage a first customer storage model over the sot of time periods for the first customer based on the set of resources of the SOC, the received first storage distribution model and a first threat landscape for the first customer; revise the first customer storage model for a second predetermined time period of the set of time periods based on first actual storage use of the first customer, and a first projection of data to be consumed in the second predetermined time period based on the first threat landscape; and determine whether to revise allocation of the resources in the SOC at the second time period based on the revision to the first customer storage model and a first customer storage policy of the first customer.

15. The machine-readable storage medium of claim 14 , therein the instructions are executable by the processor to: receive, from a second customer, a second storage distribution model that comprises information related to expected usage of the set of resources of the SOC over the set of time periods for the second customer, wherein the expected usage of the set of resources comprises an average amount of usage, a maximum amount of usage, and a minimum amount of usage for each of the set of time periods; manage a second customer storage model over the set of time periods for the second customer based on the set of resources of the SOC, the received second storage distribution model and a second threat landscape for the second customer; revise the second customer storage model for a second time period of the set of time periods based on second actual storage use of the second customer, and a second projection of data to be consumed in the second time period based on the second threat landscape; and load balance allocation of the resources in the SOC among a set of customers storing data in the SOC, the set of customer comprising the first customer and the second customer.